Dynamics CRM 2013 ADFS 2.1 with windows 2012 - CRM Outlook client issue

If you configuring ADFS with Windows 2012 you will find that you can't configure the CRM Outlook Client. This is due to a bug in ADFS 2.1 which does not correctly set it's ADFS ActiveMexEndPoint to the correct location.

When you attempt to configure the CRM Outlook client you get:

14:44:16|  Error| Error connecting to URL: https://mycrm.com:444/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

In CRM the information for the ADFS ActiveMexEndpoint it's hold on the FederationProvider table column: ActiveMexEndPoint this information is written every time you configure Claims-Based Authentication. On the MSCRM_CONFIG database run the following command:

select * from FederationProvider

The default url looks like this:
https://myadfs.domain.com/adfs/ls/mex

And you need to update it to:
https://myadfs.domain.com/adfs/services/trust/mex

To udpate the ActiveMexEndpoint run the below query on your SQL database MSCRM_CONFIG database.

update FederationProvider
set ActiveMexEndpoint = 'https://myadfs.domain.com/adfs/services/trust/mex'

Alternatively you could run the following Powershell:
http://support.microsoft.com/kb/2828015/en-gb? 

You can also apply a hotfix released specifically to correct this issue:
http://support.microsoft.com/kb/2827748/en-us 


If you need assistance configuring ADFS in your company feel free to contact me on: nuno.m.costa@gmail.com

Dynamics CRM Office365 email relay

This article walks you through how to relay CRM email to office 365 using both Email router and a SMTP virtual server.

The idea is to get the email router to forward all emails to the virtual SMTP server. Why use a SMTP virtual server? You can relay email to virtually any Mail server on the internet and the greatest advantage is to relay email from different senders e.g. if you have users in CRM where their primary email address is not the same as your company email address. With the virtual SMTP server you can choose where to send emails from those users.

Also and this is where we focusing our configuration is the ability for the SMTP server to relay emails to office365. Office 365 settings are the following:

• SMTP server: smtp.office365
• Port: 587
• TLS 

We will go through the following items:

1. Self-signed certificate
2. Office365 settings
3. SMTP server configuration
4. SMTP domain configuration
5. CRM Email Router
6. Read Me

To install the SMTP server on windows 2008 or 2012 you use Windows Roles and Features control panel. Adding the new SMTP role to the server will automatically include the IIS management 6.0 mmc snap-in console to your administration tools this is required to manage the SMTP virtual server.

Note: Because Office 365 requires TLS you will need a certificate, a self-signed certificate will work perfectly.

1. Generate a self-signed certificate
Using IIS 7 console highlight the Server and click certificates:

On the right-hand side Click on create self-signed certificate. fill in the details and click finish

2. Office365 Set up

Before we configure the SMTP server we need to have an account which is allowed to connect to office365 and allowed to relay email to other users.

Navigate to portal.office365.com and navigate to Users and Groups click on the user account you want to use.

After you click on the user account go to licenses and make sure the user account has an Exchange Online license.

The account also needs SendAs permissions on the office365 exchange online instance. To set this permission you use the following powershell commands:

$Cred = Get-Credential
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic –AllowRedirection
Import-PSSession $s
Add-MailboxPermission -User -AccessRights FullAccess
Add-RecipientPermission -AccessRights SendAs -Trustee  

you can read more about the commands on the following articles:

http://help.outlook.com/en-us/140/ff852815(d=loband).aspx?sl=1 

http://www.msdigest.net/2012/05/how-to-configure-send-as-permission-to-a-user-in-office-365/ 

3. Configuring SMTP server

Open the IIS 6.0 management console and you should see the below screenshot. right click the SMTP virtual server and click properties

On the General tab you don't have to change anything here unless you want to enable logging:

Click on the Access tab, here we need to make sure the relay options allow the email router to relay email. Click On the button Relay

Below I've chosen All except the list below, you can be specific here and specify the email router IP address so only the email router can relay email.

Delivery Tab will define the general settings of the SMTP virtual server:

• Outbound connection Port
• Default smart host (this is the server where emails are sent to)
• Authentication with the smart host

Click on Outbound Connections.

And change the port to 587

Click on Advanced button and type:

• FQDN (your office 365 domain): mydomain.onmicrosoft.com
• Smart Host: smtp.office365.com

Click on outbound Security and choose:

• Basic Authentication
• type username@domain.onmicrosoft.com
• tick the TLS box

4. SMTP Domain

we need a domain to tell the SMTP server that for this specific domain we want to send this emails to that smart and this is the beauty of having a SMTP virtual server.

Click on domains and right click select new domain.

Select 'Remote domain'

Type your office 365 domain:

when your domain is created on the domain section right click and select properties:

On the below screen:

• Tick the box to allow incoming email to be relayed to this domain
• Choose Forward all mail to smart host
• Click on Outbound Security

Type the user account and password for office365 and tick the box TLS.

5. Email Router configuration
Okay we are almost there :)
Now the email router needs to be configured to point at the virtual SMTP server so it can send all CRM emails to the SMTP server to be processed.

On the email router configuration create a new outgoing profile and on the Email server type your new SMTP virtual server if is located on the same server you can type localhost.

Now link your deployment with the new outgoing configuration profile.

Read Me
If you need assistance configuring office365 relay email please let me know on nuno.m.costa@gmail.com

Hope the article was helpful. if you need to relay email to multiple domains in office365 you can add extra domains, if you need relay email to domains outside office365 you can add a new virtual server to hold the other domains.

You find my posts helpful?

If you like to grab a coffee/tea and read some of my posts and you think they had value to the CRM community, please consider nominating me for MVP on the below link:

http://mvp.microsoft.com/en-us/nominate-an-mvp.aspx

My email address: nuno.m.costa@gmail.com

Thanks for your help.

Regards
Nuno Costa

Dynamics CRM 2013 exchange auto-discovery

I was troubleshooting the auto-discovery process in CRM 2013 server-side synchronization and built an interesting picture on the process, if you ever need to troubleshoot the exchange auto-discovery hope this article helps.

The below diagram illustrates the steps CRM asynchronous service takes to lookup an exchange server.

1. Queries DNS for a LDAP server
2. Queries LDAP for SCP pointers and SCP URLs
3. LDAP returns the data and CRM connects via HTTPS to the relevant exchange server

For troubleshooting I'm using wirehark for network traffic capture. Before you start capturing packets in wireshark first enable one of the exchange profiles to use auto-discovery make sure you have one mailbox for testing and start capturing packets with wireshark. Now enable the mailbox this will trigger verification steps and you should see successful or failure messages in CRM when you get all 3 messages go to wireshark and stop the capture.

The first protocol we may want to look at is DNS so we want to know what CRM is querying to find out the Exchange server, on the search bar in wireshark type dns

below we see a number of things happening but the first thing I've noticed it's CRM querying for an SRV record of type _ldap
_ldap._tcp.London._sites.domain.com

if we open the packet we can see the servers that are returned based on that query.

Fine, so lets see what's happening on the ldap side, type ldap on the search bar and you should see the following conversation:

There is quite a lot going on on the above packet capture, digging into a number of packages I come across the below traces which shows me CRM is looking up:

SCP pointers

SCP URLs

you can get more information about this on:

http://msdn.microsoft.com/en-us/library/ee332364(v=exchg.140).aspx
http://msdn.microsoft.com/en-us/library/ee160402(v=exchg.80).aspx

To test this I've copied the same filter on the packet captured with wireshark and fired the ldp tool and done the same search and also included the attributes listed on the captured packet: serviceBindingInformation and Keywords

(&(objectClass=serviceConnectionPoint)(|(keywords=67661d7F-8FC4-4fa7-BFAC-E1D7794C1F68)(keywords=77378F46-2C66-4aa9-A6A6-3E7A48B19596)))

if I run the above query I get the following results:

 so we come up with the query needed to test the LDAP query CRM will perform to lookup the exchange server. After this all queries are HTTPS and we can't see what is going one.

Hope this helps.

Dynamics CRM 2013 Editing image permissions

I found that out-of-the-box the sales person security role cannot edit her/his image this seems to be a bug as the error screen does not allow you to navigate away from it unless you refresh the page. I've also found that after importing my organizations user's couldn't edit/upload images due to the same missing permission.

so if you try to edit your image with a sales person security role, you get the following message:

The only way to close this error message is to refresh IE. To allow users to edit their image make sure they have the below permission:

Dynamics CRM 2013 Configuring Exchange Syncronization

With Dynamics CRM 2013 the Asynchronous service now provides server-side Exchange Synchronization allowing users to:

• Synchronize contacts, tasks and appointments 
• Process outgoing emails
• Process incoming emails
• Automatically tracking emails based on Correlation rules (smart matching or/and tracking token)

All this without the need for the CRM Outlook client.

In the past appointments could only be synchronized with the CRM Outlook client installed and configured, if you booked an appointment with multiple people the appointment would only appear in other users Outlook Calendar if those same users had the CRM client installed and synchronizing with CRM. With Exchange Synchronization you eliminate this need for the CRM client, appointments created by you that require multiple people get directly written to their exchange profile so you automatically get an appointment alert to accept or decline.

On this article I will walk-through how to set up Exchange synchronization with Dynamics CRM 2013, here is an overview of the steps:

1. Set up an IIS self-signed certificate
2. Configure Exchange Impersonation 
3. Create and configure a CRM 2013 Exchange profile
4. Configure User Mailboxes
5. Configure CRM global Email Settings
6. Test synchronization
7. Design Overview
8. known issues
9. Summary and References

Before we start configuring CRM 2013 with exchange we need to have in-place HTTPS. We just need a self-signed certificate generated by IIS to get us going.

1. Self-signed Certificate
To generate the certificate open IIS and highlight the server name and double click Certificates

On the right-hand side click on Self-signed certificate

Give it a Name (I call it MyCertificate) leave Personal and click OK

You should see the certificate listed on the list:

Next step is to bind the Dynamics CRM website to HTTPS (443)

Highlight the Dynamics CRM web site under sites and on the right-hand side chose Bindings. The below window opens and on the type field you choose HTTPS  this will enable the SSL certificate field to choose a certificate and we choose the MyCertificate, click OK

2. Exchange Account Impersonation
Before we start Configuring profiles in CRM we want to make sure CRM service account has impersonation rights on the Exchange side to do this we run the following PowerShell command:

Exchange 2010
New-ManagementRoleAssignment -Name "" -Role:ApplicationImpersonation -User ""

For example: New-ManagementRoleAssignment -Name "CRM ExServiceAcc" -Role:ApplicationImpersonation -User crm13.service

Exchange 2007

Get-MailboxServer "" | Add-AdPermission -User "" -AccessRights ExtendedRight -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation

The second PowerShell command requires the Distinguished Name (DN) of the Microsoft Client Access Server (CAS).

To enable impersonation rights on a single Microsoft CAS server use the following command:

Get-ClientAccessServer -Identity "" | Add-AdPermission -User "" -ExtendedRights ms-Exch-EPI-Impersonation

3. Configuring CRM Exchange Profile
With the https binding in-place navigate to CRM using https://server/organization and settings > Email Configuration

Click on Email Server Profiles and then New Exchange Profile:

Fill in the details as per the below screenshot, you could use auto-discovery if it's working okay for you, I have tested in my environment and worked perfectly. The service account we specified has been given server-wide impersonation.
I've named the profile UK Mailboxes if you have users across different countries and exchange servers located on these sites you should create multiple profiles with the corresponding Exchange servers.

Leave the Advanced settings as they are:

Navigate to Mailboxes and on the Ribbon choose Add Existing Mailbox, by default every user created or imported during an organization import it's automatically generated a mailbox in the system, so when you click add existing mailbox the system will list all available user accounts.

4. Configuring Mailboxes
At this stage we have created an Email Server Profile and added 2 mailboxes, lets double click on one of the mailboxes:

Change the:
Server Profile: UK Mailboxes (the profile we just created)

Incoming Email: Server-Side Synchronization or Email Router
Outgoing Email: Server-Side Synchronization or Email Router

Note: on the configuration test results you should see Not Run instead of Success the screenshot was taken after the configuration was completed

Approve the Email and then click on Test & Enable Mailbox:

You then get the following alert message on the mailbox profile:

Click on Alerts and in a few seconds you will see the following messages coming up:

This means all checks completed successfully and you ready to test it in Outlook. If you look back at the Mailbox General tab you should now see the Configuration test results as Success.

During this test a test email is sent to your Inbox:

This is a test message to check the outgoing email configuration for [User].

5. CRM Global Email settings
Before we start the Outlook test, lets first look at the CRM Global Email settings navigate to: Settings > Administration > System Settings

Go to the Email Tab, on this section there are a number of important settings that you should think from a design phase rather than implementation.

Configure email processing:
here you define which default method you want to process users email as it says if you choose Server-Side it will block Email Router. As we want to test server-side synchronization choose server-side instead of Email router.

Configure default synchronization method:
This will define users profile preferences and this is very important from a design perspective because will avoid duplicating work. If all your users are in UK you can default a server profile to UK Mailboxes, if you have users across different countries you could still define a default Email Server Profile using auto-discovery and then workout manually any specific users that require a manual Server Profile.

On the incoming, outgoing email and appointments, contacts and tasks default this to Server-Side synchronization or Email Router this will make sure it can use both.

Below you define if you should only process emails for approved users, this means if email processing is not a sensible subject in your implementation then I would recommend you untick this boxes because it removes an extra click on the configuration steps as we have seen above.

Configure email correlation, by default both tracking token and smart matching are enabled this is a business requirements rather than a performance or optimization issue. The tracking token will add a token CRM:Number to the emails subject which get processed by CRM and smart matching will be more transparent to users and attempt to use a matching pattern to find emails that should be tracked in CRM.

Note: Using a tracking token will be more efficient than smart matching but at a cost of being less transparent to users.

6. Test Synchronization
You ready to test the exchange synchronization create one appointment in CRM and include as required yourself and another CRM user fill in the other details and SAVE in a few minutes if all works well a meeting request is received in Outlook by all users.

To test sending emails confirm that on the Configure Email processing in the Global email settings is set to server-side synch, send an email to someone from CRM and ask that person to reply back, you should see the email tracked automatically in CRM.


7. Design Overview
On the design overview I just want to share a high-level diagram on the possible design routes for server-side synchronization.

The above diagram illustrates a possible scenario where there is a main office Lisbon and all other 3 branch offices have CRM users but out of the 3 only 2 offices use their own Exchange server. In CRM you define 3 Email Exchange Server Profiles:

• Default Exchange Profile configured with Lisbon Exchange server
• New-York CRM Profile configured with New-York Exchange Server
• London CRM Profile configured with a London Exchange server

The Default Exchange server profile it's applied to all users mailboxes so you only have to apply manually Exchange profiles on users mailboxes in London and New-York. Toquio and Lisbon will both default to the default Exchange profile which points at Lisbon.

8. Known issues
While testing the server-side synchronization I found that some mailboxes didn't get processed though the Test configuration results passed successfully. Enabling logging on the Asynchronous servers I found the below error; this has been logged with Microsoft and currently being investigated so if you do find yourself unable to test the server-side synchronization bear in mind this could apply to your mailbox create a new user with a brand new mailbox to test your CRM configuration.

When this happens you may see the following error message:

On the Asynchronous service logs we found:

>Exception occurred while retrieving folder data from exchange server. Exception: Unhandled Exception: System.ArgumentNullException: Value cannot be null.

Parameter name: s

Server stack trace:

   at System.Convert.FromBase64String(String s)

   at Microsoft.Exchange.WebServices.Data.MapiTypeConverter.<.cctor>b__14(String s)

   at Microsoft.Exchange.WebServices.Data.MapiTypeConverterMapEntry.ConvertToValue(String stringValue)

   at Microsoft.Exchange.WebServices.Data.ExtendedProperty.TryReadElementFromXml(EwsServiceXmlReader reader)

   at Microsoft.Exchange.WebServices.Data.ComplexProperty.InternalLoadFromXml(EwsServiceXmlReader reader, XmlNamespace xmlNamespace, String xmlElementName, Func`2 readAction)

   at Microsoft.Exchange.WebServices.Data.ComplexProperty.LoadFromXml(EwsServiceXmlReader reader, XmlNamespace xmlNamespace, String xmlElementName)

   at Microsoft.Exchange.WebServices.Data.ExtendedPropertyCollection.LoadFromXml(EwsServiceXmlReader reader, String localElementName)

   at Microsoft.Exchange.WebServices.Data.ComplexPropertyDefinitionBase.InternalLoadFromXml(EwsServiceXmlReader reader, PropertyBag propertyBag)

   at Microsoft.Exchange.WebServices.Data.ComplexPropertyDefinitionBase.LoadPropertyValueFromXml(EwsServiceXmlReader reader, PropertyBag propertyBag)

   at Microsoft.Exchange.WebServices.Data.PropertyBag.LoadFromXml(EwsServiceXmlReader reader, Boolean clear, PropertySet requestedPropertySet, Boolean onlySummaryPropertiesRequested)

   at Microsoft.Exchange.WebServices.Data.EwsServiceXmlReader.ReadServiceObjectsCollectionFromXml[TServiceObject](XmlNamespace collectionXmlNamespace, String collectionXmlElementName, GetObjectInstanceDelegate`1 getObjectInstanceDelegate, Boolean clearPropertyBag, PropertySet requestedPropertySet, Boolean summaryPropertiesOnly)

   at Microsoft.Exchange.WebServices.Data.GetItemResponse.ReadElementsFromXml(EwsServiceXmlReader reader)

   at Microsoft.Exchange.WebServices.Data.ServiceResponse.LoadFromXml(EwsServiceXmlReader reader, String xmlElementName)

   at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.ParseResponse(EwsServiceXmlReader reader)

   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ReadResponse(EwsServiceXmlReader ewsXmlReader)

   at Microsoft.Exchange.WebServices.Data.SimpleServiceRequestBase.ReadResponse(IEwsHttpWebResponse response)

   at Microsoft.Exchange.WebServices.Data.ExchangeService.InternalLoadPropertiesForItems(IEnumerable`1 items, PropertySet propertySet, ServiceErrorHandling errorHandling)

   at Microsoft.Crm.Asynchronous.EmailConnector.MonitoredExchangeService.LoadPropertiesForItems(IEnumerable`1 items, PropertySet propertySet)

   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)

   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]:

   at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)

   at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)

   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncSteps.LoadPropertiesForItemsStep.LoadPropertiesForItemsDelegate.EndInvoke(IAsyncResult result)

   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncSteps.LoadPropertiesForItemsStep.EndRequest(IAsyncResult response)

   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncSteps.ExchangeSyncAsyncRemoteStep`2.AfterCall()

9. Summary & References
Hope you have enjoyed this article please leave your feedback.

• Set up email through server side synchronization
• Configuring Exchange Impersonation